RE: Hotfixes overwritten?
From: Dennis M. Depp (dwd@ornl.gov)Date: 05/17/02
- Previous message: Greene, Michael: "RE: Hotfixes overwritten?"
- Maybe in reply to: Greene, Michael: "Hotfixes overwritten?"
- Next in thread: Sergey Latkin: "Re: Hotfixes overwritten?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 May 2002 11:11:10 -0400 From: "Dennis M. Depp" <dwd@ornl.gov> To: "Greene, Michael" <MGreene@lrs.com>, focus-ms@securityfocus.com
Please correct me if I am wrong. My understanding is with Windows 2000 the process of having to reinstall a service pack or hotfix after installing a new service was eliminated. I don't understand the technical features of this process, but when I install a new service, are not the necessary files already supposed to be implace? Have you checked to verify that not all the files for the service were updated? If so, can you give a more specific senario?
Dennis
-----Original Message-----
From: Greene, Michael [mailto:MGreene@lrs.com]
Sent: Friday, May 17, 2002 10:06 AM
To: focus-ms@securityfocus.com
Subject: Hotfixes overwritten?
Microsoft has published information about slip-streaming service packs into CD images. This is normally done by expanding the service pack files and overwriting the respective contents of the i386 directory. The intentions here are to prevent changed files from being overwritten on the hard drive when the operating system requests the CD. For instance, if an administrator needed to add a Windows 2000 component such as DNS, the CD would now be up to date so that the service pack would not have to be reapplied after installation. It is a well-known concept (or it should be) that if you make changes to the operating system files without using a slip-streamed CD, you should reapply service packs to prevent known issues.
So what about security hotfixes? There is apparently no way to take this kind of action when applying the Post Service Pack 2 Security Roll-up. Nor is there any way to slipstream the "critical updates" Microsoft so frequently releases. So, when a new service is installed from the CD, are the security hotfixes overwritten?
There IS an article on the Microsoft web site that explains how to chain the hotfixes to the installation point so they are applied after installation. Please, don't confuse this with slip-streaming the files directly into the cd.
Neither hfnetchk, MBSA, or Windows Update do a full check of the files or registry keys changed by hotfixes, so the reports of these scanners are insufficient to report when a server has become vulnerable because of an overwritten hotfix. So the only logical conclusion is that anytime a new service is installed, the only way to insure the security of the data on the machine (speaking strictly in terms of operating system flaws) is to uninstall every hotfix and reapply them. Granted, this should not be an all day task using Qchain to apply regression tested hotfixes from a network installation point.
But my question is, why on earth would Microsoft include the ability to slipstream service packs but not security hotfixes?
____________________________
Michael Greene
Levi, Ray and Shoup, Inc.
IT Solutions - Security Team
(217)793-3800 x1253
- Previous message: Greene, Michael: "RE: Hotfixes overwritten?"
- Maybe in reply to: Greene, Michael: "Hotfixes overwritten?"
- Next in thread: Sergey Latkin: "Re: Hotfixes overwritten?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
